Posted on Mon, Aug 02, 2010 @ 09:01 AM
Securing our nation against cyber attacks has become one of the nation's highest priorities. To achieve this objective, the US Comprehensive National Cybersecurity Initiative (CNCI) has purposed that "offense must inform defense." In other words, knowledge of actual attacks that have compromised systems provides the essential foundation on which to construct effective defenses.
The US Senate Homeland Security and Government Affairs Committee moved to make this same tenet central to the Federal Information Security Management Act in drafting the U.S. ICE Act of 2009 (the new FISMA). That new proposed legislation calls upon Federal agencies to (and on the White House to ensure that they):
"monitor, detect, analyze, protect, report, and respond against known vulnerabilities, attacks, and exploitations" and "continuously test and evaluate information security controls and techniques to ensure that they are effectively implemented."
Because federal agencies do not have unlimited money, current and past federal CIOs and CISOs have agreed that the only rational way they can hope to meet these requirements is to jointly establish a prioritized baseline of information security measures and controls that can be continuously monitored through automated mechanisms.
Consequently, a consensus document of 20 crucial controls was designed to begin the process of establishing the prioritized baseline of information security measures and controls that can be applied across Federal enterprise environments. The 20 specific technical security controls are viewed as effective in blocking currently known high-priority attacks, as well as those attack types expected in the near future.
Fifteen of these controls can be monitored, at least in part, automatically and continuously. The consensus effort has also identified a second set of five controls that are essential but that do not appear to be able to be monitored continuously or automatically with current technology and practices.
Each of the 20 control areas includes multiple individual subcontrols, each specifying actions an organization can take to help improve its defenses. Here are the 20:
Critical Controls Subject to Automated Collection, Measurement, and Validation:
- Inventory of Authorized and Unauthorized Devices
- Inventory of Authorized and Unauthorized Software
- Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
- Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- Boundary Defense
- Maintenance, Monitoring, and Analysis of Security Audit Logs
- Application Software Security
- Controlled Use of Administrative Privileges
- Controlled Access Based on Need to Know
- Continuous Vulnerability Assessment and Remediation
- Account Monitoring and Control
- Malware Defenses
- Limitation and Control of Network Ports, Protocols, and Services
- Wireless Device Control
- Data Loss Prevention
Additional Critical Controls (not directly supported by automated measurement and validation):
- Secure Network Engineering
- Penetration Tests and Red Team Exercises
- Incident Response Capability
- Data Recovery Capability
- Security Skills Assessment and Appropriate Training to Fill Gaps
Posted on Tue, Jul 06, 2010 @ 07:50 AM
How did you do with the quiz? Answers are in bold.
- 0-1 Security fail (maybe time to consider another career)
- 3-5 Hacker's delight (see recommendation above)
- 6-8 Formidable defender (not too shabby)
- 9-10 Best practices model (worth every penny you are paid)
1. In IPSec, what kind of tunnel is first set up to initiate the VPN-creation process?
•b. ISAKMP
The tunnel is used to negotiate security parameters for the main IPSec tunnel
2. How can ports 80 and 443 be defended against Web-based threats?
- a. Web application firewalls
- b. Content filtering
- c. White lists
- d. Black lists
•e. All of the above
3. Two-factor authentication can include something you have, something you know and...
•a. Something you are
- b. Something you make up
- c. Something encrypted
- d. Something unique
This can include retina or fingerprint scans or other biometrics
4. What do corporate security executives regard as the biggest threat to security?
- a. Removable media such as thumb drives
- b. Malicious insiders
•c. Web 2.0 applications
- d. Unpatched operating systems
According to Symantec, this can include social media such as Facebook and Twitter
5. The goal of network access control (NAC) is:
- a. Remediating security shortcomings of machines before they connect to networks
- b. Making sure devices adhere to access policies once admitted to networks
- c. Linking machines with user identities to impose appropriate polices on them
•d. All of the above
And some vendors say NAC should do more
6. What means did attackers in China use to infiltrate Google's network?
- a. Social engineering using Facebook
- b. Introducing malware via cross-site scripting of Web sites
•c. Exploiting a flaw in Internet Explorer
- d. Brute-force attack of Google executive's passwords
7. Which botnet advance has made eradicating them more difficult?
•a. Embedding command and control capabilities in zombie machines
- b. Reinfection via social media sites
- c. Sheer number overwhelms defensive measures
- d. Use of rootkits to make bot software more difficult to dislodge
When command and control nodes shift, it becomes more difficult to shut them and their subject machines down
8. Which of the following is not an example of an application vulnerability?
- a. Lack of sufficient logging
- b. Fail-open error handling
- c. Failure to properly close database connections
•d. Running with least privilege
This is actually recommended to strengthen applications
9. What is one downside of public key encryption?
- a. It is less secure than using secret keys
•b. It requires trusting party to verify public keys
- c. It cannot ensure confidentiality
- d. It cannot ensure authenticity
10. Which is not a Wi-Fi security option?
•c. ICMP
Posted on Mon, Jun 28, 2010 @ 10:24 AM
Network World published this quiz to test your knowledge of IT security. Take the test to see how much of a security expert you really are. We'll publish the answers in the next blog.
1. In IPSec, what kind of tunnel is first set up to initiate the VPN-creation process?
- a. IKE
- b. ISAKMP
- c. Lincoln Tunnel
- d. SSL
2. How can ports 80 and 443 be defended against Web-based threats?
- a. Web application firewalls
- b. Content filtering
- c. White lists
- d. Black lists
- e. All of the above
3. Two-factor authentication can include something you have, something you know and...
- a. Something you are
- b. Something you make up
- c. Something encrypted
- d. Something unique
4. What do corporate security executives regard as the biggest threat to security?
- a. Removable media such as thumb drives
- b. Malicious insiders
- c. Web 2.0 applications
- d. Unpatched operating systems
5. The goal of network access control (NAC) is:
- a. Remediating security shortcomings of machines before they connect to networks
- b. Making sure devices adhere to access policies once admitted to networks
- c. Linking machines with user identities to impose appropriate polices on them
- d. All of the above
6. What means did attackers in China use to infiltrate Google's network?
- a. Social engineering using Facebook
- b. Introducing malware via cross-site scripting of Web sites
- c. Exploiting a flaw in Internet Explorer
- d. Brute-force attack of Google executive's passwords
7. Which botnet advance has made eradicating them more difficult?
- a. Embedding command and control capabilities in zombie machines
- b. Reinfection via social media sites
- c. Sheer number overwhelms defensive measures
- d. Use of rootkits to make bot software more difficult to dislodge
8. Which of the following is not an example of an application vulnerability?
- a. Lack of sufficient logging
- b. Fail-open error handling
- c. Failure to properly close database connections
- d. Running with least privilege
9. What is one downside of public key encryption?
- a. It is less secure than using secret keys
- b. It requires trusting party to verify public keys
- c. It cannot ensure confidentiality
- d. It cannot ensure authenticity
10. Which is not a Wi-Fi security option?
- a. WEP
- b. WPA
- c. ICMP
- 802.11i
Posted on Thu, May 20, 2010 @ 01:48 PM
The Cloud Security Alliance released a report on the top security threats to cloud computing. In Part 1 of this blog we reviewed the top 7 threats. In this installment, Part 2, we review the remedial steps you can to take to reduce your risk profile.
Threat #1: Abuse and Nefarious Use of Cloud Computing
Remediation
- Stricter initial registration and validation processes
- Enhanced credit card fraud monitoring and coordination
- Comprehensive introspection of customer network traffic
- Monitoring public blacklists for one's own network blocks
Threat #2: Insecure Interfaces and APIs
Remediation
- Analyze the security model of cloud provider interfaces
- Ensure strong authentication and access controls are implemented in concert with encrypted transmission
- Understand the dependency chain associated with the API (application program interface)
Threat #3: Malicious Insiders
Remediation
- Enforce strict supply chain management and conduct a comprehensive supplier assessment
- Specify human resource requirements as part of legal contracts
- Require transparency into overall information security and management practices, as well as compliance reporting
- Determine security breach notification processes
Threat #4: Shared Technology Issues
Remediation
- Implement security best practices for installation/configuration
- Monitor environment for unauthorized changes/activity
- Promote strong authentication and access control for administrative access and operations
- Enforce service level agreements for patching and vulnerability remediation
- Conduct vulnerability scanning and configuration audits
Threat #5: Data Loss or Leakage
Remediation
- Implement strong API access control
- Encrypt and protect integrity of data in transit
- Analyze data protection at both design and run time
- Implement strong key generation, storage and management, and destruction practices
- Contractually demand providers wipe persistent media before it is released into the pool
- Contractually specify provider backup and retention strategies
Threat #6: Account or Service Hijacking
Remediation
- Prohibit the sharing of account credentials between users and services
- Leverage strong two-factor authentication techniques where possible
- Employ proactive monitoring to detect unauthorized activity
- Understand cloud provider security policies and SLAs
Threat #7: Unknown Risk Profile
Remediation
- Disclosure of applicable logs and data
- Partial/full disclosure of infrastructure details (e.g., patch levels, firewalls, etc.)
- Monitoring and alerting on necessary information
Posted on Wed, May 19, 2010 @ 02:17 PM
The Cloud Security Alliance released a report on the top security threats to cloud computing. In Part 1 of this blog we review the top 7 threats. In Part 2 we'll review the remedial steps you can to take to reduce your risk profile.
Threat #1: Abuse and Nefarious Use of Cloud Computing
IaaS (Infrastructure as a Service) providers offer their customers immediate access to cloud services. The anonymity afforded in registration has attracted spammers, malicious code authors, and other criminals. PaaS providers (Platform as a Service) have traditionally suffered most from this kind of attacks; however, recent evidence shows that hackers have begun to target IaaS vendors as well.
Threat #2: Insecure Interfaces and APIs
Cloud computing providers expose a set of software interfaces or APIs that customers use to manage and interact with cloud services. Provisioning, management, orchestration, and monitoring are all performed using these interfaces. The security and availability of general cloud services is dependent upon the security of these basic APIs. Increased risk occurs as organizations may be required to relinquish their credentials to third parties in order to enable certain functionality.
Threat #3: Malicious Insiders
The threat of a malicious insider is well-known to most organizations. This threat is amplified for consumers of cloud services by the convergence of IT services and customers under a single management domain, combined with a general lack of transparency into provider process and procedure. For example, a provider may not reveal how it grants employees access to physical and virtual assets, how it monitors these employees, or how it analyzes and reports on policy compliance. The level of access granted could enable workers with malicious intent to operate with little or no risk of detection.
Threat #4: Shared Technology Issues
IaaS vendors deliver their services in a scalable way by sharing infrastructure. Often, the underlying components that make up this infrastructure (e.g., CPU caches, GPUs, etc.) were not designed to offer strong isolation properties for a multi-tenant architecture. To address this gap, a virtualization hypervisor mediates access between guest operating systems and the physical compute resources. Still, even hypervisors have exhibited flaws that have enabled guest operating systems to gain inappropriate levels of control or influence on the underlying platform.
Threat #5: Data Loss or Leakage
The threat of data compromise increases in the cloud due to the number of interactions which are either unique to cloud, or more dangerous because of the architectural or operational characteristics of the cloud environment.
Threat #6: Account or Service Hijacking
Account or service hijacking is not new. Attack methods such as phishing, fraud, and exploitation of software vulnerabilities still achieve results. Cloud solutions add a new threat to the landscape. If an attacker gains access to your credentials, they can eavesdrop on your activities and transactions, manipulate data, return falsified information, and redirect your clients to illegitimate sites.
Threat #7: Unknown Risk Profile
One of the tenets of cloud computing is the reduction of hardware and software ownership and maintenance to allow companies to focus on their core business strengths. This has clear financial and operational benefits, which must be weighed carefully against the hidden security posture of the provider. Security by obscurity may be low effort, but it can result in unknown exposures.
Posted on Mon, May 03, 2010 @ 12:59 PM
We're all familiar with the concept of people being fingerprinted to verify identities. But now Uniloc USA, an Irvine, California company has developed Physical Device Recognition (PDR) technology that creates a unique fingerprint for networked devices. The implementation of their NetAnchor server software, security appliance and management software creates a trusted-device network in which only authenticated devices are allowed to communicate.
Authorized client machines are identified using Uniloc's PDR technology to generate a device fingerprint based on the unique and inherent characteristics of each device. The device characteristics are based both on naturally occurring manufacturing imperfections as well as intentional configuration differences. This fingerprint becomes an authentication credential that is locked to that device.
One of Uniloc's target markets for this technology are industrial control systems in industries designated as critical infrastructure; including water, power, oil and gas, chemicals and transportation. The idea is to leverage a unique device fingerprint in trusted communications between SCADA (Supervisory Control and Data Acquisition) master stations and RTUs (Remote Terminal Units) and PLCs (Programmable Logic Controller).
Most recently the company has been focusing on network security professionals with the pitch of adding another authentication credential (device fingerprint) to network edge devices. Their story goes like this:
"While there is a trend towards moving technology into the cloud, properly validating the identity of a user, or user authentication, must continue to occur on the connected device. Today's passwords are not reliable enough for advanced cloud concepts like billable edges but many authentication technologies like smart cards are too expensive and inconvenient. Uniloc's Edge ID identifies the device itself for an affordable, enhanced user authentication without any user hassle."
Will this technology fly in the long run? Or will it be just another great idea that ends up in the "that's interesting" bin of technology landfills. We'll just have to see.
Posted on Mon, May 03, 2010 @ 12:09 PM
The Transportation Security Administration (TSA) has on its website a diagram of its "defense-in breadth" strategy. I got a kick out it because you could liken it to the "defense-in-depth" strategy of many network security professionals.
The TSA says "each one of these layers alone is capable of stopping a terrorist attack. In combination their security value is multiplied, creating a much stronger, formidable system." So if you get through one layer, the argument goes you'll get caught in another layer. Maybe 21 layers is the secret number for network security as well? Just a thought.
Posted on Wed, Feb 10, 2010 @ 09:32 AM
The Department of Energy (DOE) has a goal to secure control systems used in the energy sector from malicious cyber attacks-attacks that could lead to potentially catastrophic disruptions in our critical infrastructures. As part of this effort, DOE created a document called "Roadmap to Secure Control Systems in the Energy Sector." As I was reading it I came across some interesting nuggets about previous attacks on utilities (Source: GAO 2004, Reed 2005). Some things you may not hear on David Letterman.
- 1. Unsuspected code hidden in transferred product (USSR, 1982)
While the following cannot be confirmed, it has been reported that during the Cold War the CIA inserted malicious code into control system software leaked to the Soviet Union. The software, which controlled pumps, turbines, and valves on a Soviet gas pipeline, was programmed to malfunction after a set interval. The malfunction caused the control system to reset pump speeds and valve settings to produce pressures beyond the failure ratings of pipeline joints and welds, eventually causing an enormous explosion.
- 2. Hacker exploits cross-sector interdependence (Massachusetts, USA, 1997)
A teenager hacked into and remotely disabled part of the public switching network, disrupting phone service for local residents and the fire department and causing a malfunction at a nearby airport.
- 3. Insider hacks into sewage treatment plant (Australia, 2001)
A former employee of the software developer hacked into the SCADA system that controlled a Queensland sewage treatment plant, causing a large sewage discharge over a sustained period. He was caught and sentenced to two years in prison in 2001.
- 4. Worm exploits interconnected business and operations networks (Ohio, USA, 2003)
The SQL Slammer worm infiltrated the operations network of the Davis-Besse nuclear power plant via a high-speed connection from an unsecured contractor's network (after the corporate firewall had previously blocked the worm). After migrating from the business network to the operations network, the worm disabled the panel used to monitor the plant's most crucial safety indicators for about five hours and caused the plant's process computer to fail; recovery for the latter took nearly six hours. Luckily, the plant was off-line at the time.
These stories were used to illustrate the concern by the U.S. government about the potential for cyber attacks on the energy sector. And as smart grid technology evolves that will tie everyone and everything together in a futuristic, postmodern indulgence of technology in daily life-we will need all the security we can get.
GAO. 2004. Government Accountability Office. Critical infrastructure protection: Challenges and efforts to secure control systems (GAO-04-354)
Reed, T. 2005.
At the abyss: An insider's history of the cold war. Random House
Posted on Wed, Jan 20, 2010 @ 01:02 PM
Professor Howard A. Schmidt, White House CyberSecurity Advisor and CEO of Information Security Forum, was speaking recently on the emerging threats created by the global economic upheaval. As businesses of all size expand, via the Internet, to engage with sales, production and distribution partners around the world, new threats become imminent.
Political - Espionage, previously things of the Cold War and Hollywood entertainment have become a reality due to the ability of almost anyone to use the Internet to unearth and piece together confidential information on individuals, governments and corporations. What is illegal behavior in the U.S. may not be illegal in the other countries your business operates in.
Legal - Theft and misuse of other company's intellectual property and brand names is commonplace and laws differ across each border. Identity theft we hear about regularly on the news. Electronic evidence can now be retrieved from all sorts of communication devices and protocols between employees and the world. What you say, where you say it and how you say it must now be monitored.
Economic - Organized crime has evolved from the days of extorting storekeepers for "protection" to well-planned thefts of credit card information and kidnapping of customer hard drives via the Web. Emerging nations are using technology as a way to help their struggling economies but in the midst of that growth, criminals exploit the rudimentary architectures and security vulnerabilities.
Socio-cultural - High unemployment has exacerbated the increase of disgruntled employees and thus creates an environment for increased employee data theft, fraud, embezzlement, corruption and risk.
Web enablement of society - As more and more devices that are part of daily life become web-enabled the possibility of security incidents that have life threatening impact becomes real. An example is IP-enabled pacemakers. These devices contain a radio transmitter which connects wirelessly to receiving equipment to report on the condition of the patient's heart. Any problems are instantly reported to the doctor, and regular checkups can be done by remotely interrogating the home-based equipment. Imagine the impact on a person's life if the network were to be compromised.
5 steps to reduce global risk
The things you can do to reduce risk in this global economy, according to Professor Schmidt, include:
- 1. Get the basics right - Identify critical and sensitive information that requires special handling and secure management. Continually re-assess your risks, identify and deploy security controls and re-examine your security function activities.
- 2. Throw out assumptions - Look beyond historical data that might say "we've never had a security breach" because complacency is the point where your risk grows greatest. Question your long-held beliefs about security and about the nature of threats from employees and business partners.
- 3. Plan for uncertainty - Prepare for a whole new world where wireless communication is the norm. And where cyber criminals lurk in the alleys off each transmission. Develop and rehearse responses in the event of a security incident, much like disaster recovery drills.
- 4. Become a risk champion - Adapt to changes in your organization's risks. If previous security plans were based on old technologies that have since been updated, then update your security strategy and plans as well.
Build for the future - Maintain your capabilities to respond to incidents; collaborate with others and have an end-to-end strategy.
Posted on Wed, Nov 11, 2009 @ 12:45 PM
The Internet Corporation for Assigned Names and Numbers (ICANN), the governing body that is a steward for the Internet domain naming conventions, announced in October that they will expand the domain name system (DNS) to include non-Latin characters (non- English) for the first time. So in addition to English domain names, starting in 2010 there will domain names in Chinese, Arabic, Russian and other languages over time.
Domain names-the Internet addresses that end in ".com" and other suffixes-are the key addresses behind every Web site and e-mail address. Since their creation in the 1980s, domain names have been limited to the 26 characters in the Latin alphabet used in English-A-Z-as well as 10 numerals and the hyphen. Technical tricks have been used to allow portions of the Internet address to use other scripts, but until now, the suffix had to use those 37 characters.
This is an exciting event for the hundreds of millions of online users whose native language is not English. However, how will this impact network security going forward?
The well-known security researcher Dan Kaminsky is famous for a critical flaw he found in the Domain Name Service protocol last summer. DNS is the protocol that translates domain names (such as zonealarm.com) to the numeric Internet Protocol address (such as 209.87.209.206). By exploiting the flaw, Kaminsky discovered a DNS server can be tricked into resolving the domain name to a different IP address.
This would allow the attacker to trick someone visiting CityOnlineBank.com to a fake replica of the website that they control. The user would unwittingly give their online bank password to the attacker's fake website. This is called DNS Hijacking.
That vulnerability has since been patched, but the DNS protocol itself in many ways remains fundamentally insecure. With the advent of non-Latin domain names, could we be heading into a nightmarish scenario with rogue cyber terrorists?
DNSSEC is a proposed protocol that would secure the DNS protocol using public key encryption, but its adoption has been slow due to many factors. It is notoriously complicated to implement and maintain.
With the domain name system vulnerable, a website's "forgotten password" feature also becomes an easy target to hackers. By hijacking the CityOnlineBank email.com, an attacker could then go to Facebook, Ebay, or any number of online web services and request a new password sent to a user's email address. This password would then be intercepted by the attacker when it is sent not to the real CityOnlineBank email.com, but the fake one in the control of the attacker. The real user is never involved or aware of the attack at any point.
So the broadening of the Internet to include non-Latin characters is a great thing for the world, but could usher in a new round of security troubles.